aboutsummaryrefslogtreecommitdiffstats
path: root/src/eapol_auth/eapol_auth_sm.c
diff options
context:
space:
mode:
authorNick Lowe <nick.lowe@lugatech.com>2016-01-24 11:37:46 (GMT)
committerJouni Malinen <j@w1.fi>2016-02-06 15:10:19 (GMT)
commitd72a00539ca793ecd3137ae308bc173271d8b882 (patch)
treef0f9f7c3e65e08d0a597bf42bdff9daeb3a84746 /src/eapol_auth/eapol_auth_sm.c
parentd689317ddbf58487432951a4afb2f4070eeb10b6 (diff)
downloadhostap-d72a00539ca793ecd3137ae308bc173271d8b882.zip
hostap-d72a00539ca793ecd3137ae308bc173271d8b882.tar.gz
hostap-d72a00539ca793ecd3137ae308bc173271d8b882.tar.bz2
RADIUS: Use more likely unique accounting Acct-{,Multi-}Session-Id
Rework the Acct-Session-Id and Acct-Multi-Session-Id implementation to give better global and temporal uniqueness. Previously, only 32-bits of the Acct-Session-Id would contain random data, the other 32-bits would be incremented. Previously, the Acct-Multi-Session-Id would not use random data. Switch from two u32 variables to a single u64 for the Acct-Session-Id and Acct-Multi-Session-Id. Do not increment, this serves no legitimate purpose. Exclusively use os_get_random() to get quality random numbers, do not use or mix in the time. Inherently take a dependency on /dev/urandom working properly therefore. Remove the global Acct-Session-Id and Acct-Multi-Session-Id values that serve no legitimate purpose. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Diffstat (limited to 'src/eapol_auth/eapol_auth_sm.c')
-rw-r--r--src/eapol_auth/eapol_auth_sm.c21
1 files changed, 10 insertions, 11 deletions
diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c
index cdbec4e..62db368 100644
--- a/src/eapol_auth/eapol_auth_sm.c
+++ b/src/eapol_auth/eapol_auth_sm.c
@@ -866,10 +866,16 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
sm->radius_cui = wpabuf_alloc_copy(radius_cui,
os_strlen(radius_cui));
- sm->acct_multi_session_id_lo = eapol->acct_multi_session_id_lo++;
- if (eapol->acct_multi_session_id_lo == 0)
- eapol->acct_multi_session_id_hi++;
- sm->acct_multi_session_id_hi = eapol->acct_multi_session_id_hi;
+ /*
+ * Acct-Multi-Session-Id should be globally and temporarily unique.
+ * A high quality random number is required therefore.
+ * This could be be improved by switching to a GUID.
+ */
+ if (os_get_random((u8 *) &sm->acct_multi_session_id,
+ sizeof(sm->acct_multi_session_id)) < 0) {
+ eapol_auth_free(sm);
+ return NULL;
+ }
return sm;
}
@@ -1274,7 +1280,6 @@ struct eapol_authenticator * eapol_auth_init(struct eapol_auth_config *conf,
struct eapol_auth_cb *cb)
{
struct eapol_authenticator *eapol;
- struct os_time now;
eapol = os_zalloc(sizeof(*eapol));
if (eapol == NULL)
@@ -1303,12 +1308,6 @@ struct eapol_authenticator * eapol_auth_init(struct eapol_auth_config *conf,
eapol->cb.erp_get_key = cb->erp_get_key;
eapol->cb.erp_add_key = cb->erp_add_key;
- /* Acct-Multi-Session-Id should be unique over reboots. If reliable
- * clock is not available, this could be replaced with reboot counter,
- * etc. */
- os_get_time(&now);
- eapol->acct_multi_session_id_hi = now.sec;
-
return eapol;
}